GitHub_MVULNRICHMENT:CVE-2024-37886CVE-2024-37886 Nextcloud user_oidc's ID4me does not validate signature or expiration
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.6%
user_oidc app is an OpenID Connect user backend for Nextcloud. An attacker could potentially trick the app into accepting a request that is not signed by the correct server. It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0.
CNA Affected
[
{
"vendor": "nextcloud",
"product": "security-advisories",
"versions": [
{
"status": "affected",
"version": "< 1.3.5"
}
]
}
]Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.6%